How to Configure auditd for Security Event Logging on RHEL 7

The Linux Audit Framework, managed by the auditd daemon, provides a comprehensive kernel-level mechanism for tracking security-relevant events on RHEL 7. Unlike application-level logging, the audit subsystem operates below the application layer, meaning that even a compromised process cannot suppress its own audit trail without also compromising the kernel. Properly configured, auditd records file access, system calls, user authentication events, privilege escalation, and network connections in tamper-evident logs. This tutorial covers full auditd configuration, writing persistent audit rules, querying logs with ausearch and aureport, applying compliance rule sets, and forwarding audit logs to a centralised server with audisp-remote.

Prerequisites

• RHEL 7 system with root access
• The audit package installed (included by default on RHEL 7)
• For remote logging: a second RHEL 7 server to act as the audit log aggregator
• Basic familiarity with Linux system calls and file permissions

Step 1: Verify and Start auditd

The audit package is installed by default on RHEL 7. Verify the installation and ensure the service is running:

rpm -q audit
systemctl status auditd
systemctl enable auditd
systemctl start auditd

Note that auditd must be managed with service auditd restart on RHEL 7 rather than systemctl restart auditd, because systemd hands off control to the auditd init script to ensure audit rules remain active during the restart:

service auditd restart
service auditd status

Step 2: Configure /etc/audit/auditd.conf

The main daemon configuration controls how logs are written and what happens when disk space runs low. Edit /etc/audit/auditd.conf:

vi /etc/audit/auditd.conf

Key settings to review and adjust:

# Log file location
log_file = /var/log/audit/audit.log

# Maximum size of a single log file in MB before rotation
max_log_file = 50

# Action when max_log_file is reached: rotate, syslog, suspend, keep_logs, or email
max_log_file_action = rotate

# Number of rotated logs to keep (0 = unlimited)
num_logs = 10

# Action when disk space is critically low
space_left = 75
space_left_action = email
action_mail_acct = root

admin_space_left = 50
admin_space_left_action = suspend

# Flush strategy: none, incremental, incremental_async, data, sync
flush = incremental_async
freq = 50

# Write logs in a format that allows correlation across reboots
log_format = ENRICHED

After editing, apply the configuration change:

service auditd restart

Step 3: Write Audit Rules with auditctl

The auditctl command adds and removes audit rules at runtime. Rules added this way are active immediately but do not survive a reboot. The -w flag watches a file or directory, while -a adds a rule based on system call activity.

File Watch Rules

# Watch /etc/passwd for all access types and tag with keyword 'passwd_changes'
auditctl -w /etc/passwd -p rwxa -k passwd_changes

# Watch /etc/shadow for write and attribute changes only
auditctl -w /etc/shadow -p wa -k shadow_changes

# Watch the sudoers file
auditctl -w /etc/sudoers -p wa -k sudoers_changes

# Watch an entire directory recursively
auditctl -w /etc/ssh/ -p wa -k ssh_config_changes

# Watch for executions in /tmp (common malware staging area)
auditctl -w /tmp -p xe -k tmp_execution

The permissions flags mean: r = read, w = write, x = execute, a = attribute change.

System Call Rules

# Log all failed file access attempts (permission denied)
auditctl -a always,exit -F arch=b64 -S open -F exit=-EACCES -k access_denied
auditctl -a always,exit -F arch=b64 -S open -F exit=-EPERM -k access_denied

# Log privilege escalation via setuid
auditctl -a always,exit -F arch=b64 -S setuid -F a0=0 -k root_setuid

# Log all use of the 'chmod' system call
auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k chmod_events

# Log deletion of files
auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k file_deletion

# List current rules
auditctl -l

Step 4: Create Persistent Audit Rules

Rules in /etc/audit/rules.d/ are compiled into /etc/audit/audit.rules on startup by the augenrules tool. Create a custom rules file:

cat > /etc/audit/rules.d/custom.rules << 'EOF'
## Buffer size - increase if you see "audit: backlog limit exceeded" in dmesg
-b 8192

## Failure mode: 0=silent, 1=printk, 2=panic
-f 1

## Watch critical system files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

## Watch PAM configuration
-w /etc/pam.d/ -p wa -k pam_changes

## SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config

## Log all commands run by root
-a always,exit -F arch=b64 -F euid=0 -S execve -k root_commands
-a always,exit -F arch=b32 -F euid=0 -S execve -k root_commands

## Privilege escalation
-w /usr/bin/sudo -p x -k sudo_use
-w /usr/bin/su -p x -k su_use
-w /bin/su -p x -k su_use

## Network configuration changes
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
-w /etc/hosts -p wa -k network_modifications
-w /etc/sysconfig/network -p wa -k network_modifications

## Kernel module loading
-w /sbin/insmod -p x -k module_insertion
-w /sbin/rmmod -p x -k module_removal
-w /sbin/modprobe -p x -k module_insertion
-a always,exit -F arch=b64 -S init_module -S delete_module -k module_changes

## Make the configuration immutable - must reboot to change rules
## Uncomment in production after verifying rules are correct
# -e 2
EOF

Apply the rules immediately:

augenrules --load
auditctl -l | head -40

Step 5: Search Audit Logs with ausearch

The ausearch tool queries the audit log using keywords, time ranges, users, or system calls:

# Search by key (keyword defined in -k flag of rule)
ausearch -k passwd_changes
ausearch -k sudoers --interpret

# Search for events in the last hour
ausearch -ts recent -k identity

# Search for a specific user's activity
ausearch -ua apache --interpret

# Search for failed login attempts
ausearch -m USER_LOGIN -sv no --interpret

# Search for events in a specific time range
ausearch -ts 05/17/2025 08:00:00 -te 05/17/2025 18:00:00

# Show events in human-readable format
ausearch -k root_commands -i | tail -50

Step 6: Generate Reports with aureport

The aureport tool produces summary reports of audit activity, useful for daily security reviews and compliance evidence:

# Overall summary of audit events
aureport --summary

# Authentication and account reports
aureport --auth
aureport --auth --summary

# Failed event summary
aureport --failed --summary

# Executable report (what commands were run)
aureport --executable --summary

# Login report
aureport -l

# Anomaly report
aureport --anomaly

# Report for a specific time period
aureport --start 05/17/2025 00:00:00 --end 05/17/2025 23:59:59 --summary

Step 7: Apply Compliance Rule Sets

The audit-libs package on RHEL 7 ships with pre-built rule sets for common compliance frameworks. These are located in /usr/share/doc/audit-*/:

ls /usr/share/doc/audit-*/
# Shows: capp.rules, nispom.rules, pci.rules, stig.rules

# Apply CIS / PCI-DSS rules
cp /usr/share/doc/audit-*/pci.rules /etc/audit/rules.d/pci.rules
augenrules --load

# Or apply STIG rules (DoD Security Technical Implementation Guide)
cp /usr/share/doc/audit-*/stig.rules /etc/audit/rules.d/stig.rules
augenrules --load

Review the applied rules before enabling the immutable flag (-e 2) which prevents any rule changes without a reboot.

Step 8: Configure audisp-remote for Centralised Logging

The audispd-plugins package provides the audisp-remote plugin for forwarding audit events to a remote aggregator server. Install it on the client:

yum install -y audispd-plugins

# Configure the remote plugin
vi /etc/audisp/plugins.d/au-remote.conf

Set active = yes in the plugin configuration, then configure the remote server address:

cat > /etc/audisp/audisp-remote.conf << 'EOF'
remote_server = 192.168.1.50
port = 60
transport = tcp
mode = immediate
queue_depth = 10240
fail_action = syslog
network_failure_action = syslog
EOF

On the aggregator server, install audit and configure it to listen:

# On the aggregator server:
yum install -y audit
vi /etc/audit/auditd.conf
# Set: tcp_listen_port = 60
service auditd restart
firewall-cmd --permanent --add-port=60/tcp
firewall-cmd --reload

Restart auditd on the client to activate forwarding:

service auditd restart

A properly tuned auditd configuration transforms RHEL 7 into a platform capable of satisfying PCI-DSS 10.x, CIS Benchmark Level 2, and STIG logging requirements. The combination of file watches, system call rules, and the ausearch/aureport toolset gives security teams a complete audit trail without requiring third-party software. When combined with audisp-remote, audit logs are preserved on a dedicated aggregator even if a compromised host attempts to cover its tracks. Review audit rules quarterly and run aureport --anomaly as part of your daily security checklist to catch suspicious activity early.